sshd
Ansible Role: sshd
Description
This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the DevSec SSH Baseline.
The role is a fork of arillso.sshd.
Installation
ansible-galaxy collection install community.crypto
ansible-galaxy install skriptfabrik.sshd
Requirements
None
Role Variables
ssh_ipv6_enable
true if IPv6 is needed
ssh_ipv6_enable: '{{ network_ipv6_enable | default(false) }}' # sshd + ssh
ssh_server_enabled
true if sshd should be started and enabled
ssh_server_enabled: true # sshd
ssh_use_dns
true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
ssh_use_dns: false # sshd
ssh_compression
true or value if compression is needed
ssh_compression: false # sshd
ssh_hardening
For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
ssh_client_hardening: true # ssh
ssh_server_hardening: true # sshd
ssh_client_password_login
If true, password login is allowed
ssh_client_password_login: false # ssh
ssh_server_password_login: false # sshd
ssh_server_ports
ports on which ssh-server should listen
ssh_server_ports: ['22'] # sshd
ssh_client_port
port to which ssh-client should connect
ssh_client_port: '22' # ssh
ssh_listen_to
one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
ssh_listen_to: ['0.0.0.0'] # sshd
ssh_host_key_files
Host keys to look for when starting sshd.
ssh_host_key_files: [] # sshd
# - path: "{{ sshd_config_path }}/ssh_host_rsa_key"
# private_key: |
# xxxxxxxxxxxxx
# xxxxxxxxxxxxx
# xxxxxxxxxxxxx
# public_key: |
# xxxxxxxxxxxxx
# xxxxxxxxxxxxx
# xxxxxxxxxxxxx
# size: 8192
# type: rsa
ssh_force_create_host_key_files
Force the creation of host key files.
ssh_force_create_host_key_files: false # sshd
ssh_max_auth_retries
Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
ssh_max_auth_retries: 2
ssh_client_alive_interval
ssh_client_alive_interval: 300 # sshd
ssh_client_alive_count
ssh_client_alive_count: 3 # sshd
ssh_permit_tunnel
Allow SSH Tunnels
ssh_permit_tunnel: false
ssh_remote_hosts
Hosts with custom options. # ssh
ssh_remote_hosts: []
# Example
ssh_remote_hosts:
- names: ['example.com', 'example2.com']
options: ['Port 2222', 'ForwardAgent yes']
- names: ['example3.com']
options: ['StrictHostKeyChecking no']
ssh_allow_root_with_key
Set this to "without-password" or "yes" to allow root to login
ssh_allow_root_with_key: 'no' # sshd
ssh_allow_tcp_forwarding
false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
ssh_allow_tcp_forwarding: false # sshd
ssh_gateway_ports
false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
Set to 'clientspecified' to allow the client to specify which address to bind to.
ssh_gateway_ports: false # sshd
ssh_allow_agent_forwarding
false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
ssh_allow_agent_forwarding: false # sshd
ssh_pam_support
true if SSH has PAM support
ssh_pam_support: true
ssh_use_pam
false to disable pam authentication.
ssh_use_pam: false # sshd
ssh_google_auth
false to disable google 2fa authentication
ssh_google_auth: false # sshd
ssh_pam_device
false to disable pam device 2FA input
ssh_pam_device: false # sshd
ssh_gssapi_support
true if SSH support GSSAPI
ssh_gssapi_support: false
ssh_kerberos_support
true if SSH support Kerberos
ssh_kerberos_support: true
ssh_deny_users
if specified, login is disallowed for user names that match one of the patterns.
ssh_deny_users: '' # sshd
ssh_allow_users
if specified, login is allowed only for user names that match one of the patterns.
ssh_allow_users: '' # sshd
ssh_deny_groups
if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
ssh_deny_groups: '' # sshd
ssh_allow_groups
if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
ssh_allow_groups: '' # sshd
ssh_authorized_keys_file
change default file that contains the public keys that can be used for user authentication.
ssh_authorized_keys_file: '' # sshd
ssh_trusted_user_ca_keys_file
specifies the file containing trusted certificate authorities public keys used to sign user certificates.
ssh_trusted_user_ca_keys_file: '' # sshd
ssh_trusted_user_ca_keys
set the trusted certificate authorities public keys used to sign user certificates.
ssh_trusted_user_ca_keys: [] # sshd
Example
ssh_trusted_user_ca_keys:
- 'ssh-rsa ... comment1'
- 'ssh-rsa ... comment2'
ssh_authorized_principals_file
specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.
ssh_authorized_principals_file: '' # sshd
Example
ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
%h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, the path is taken to be an absolute path or one relative to the user's home directory.
ssh_authorized_principals
list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.
ssh_authorized_principals: [] # sshd
Example
ssh_authorized_principals:
- {
path: '/etc/ssh/auth_principals/root',
principals: ['root'],
owner: '{{ ssh_owner }}',
group: '{{ ssh_group }}',
directoryowner: '{{ ssh_owner }}',
directorygroup: '{{ ssh_group}}',
}
- {
path: '/etc/ssh/auth_principals/myuser',
principals: ['masteradmin', 'webserver'],
}
ssh_print_motd
false to disable printing of the MOTD
ssh_print_motd: false # sshd
ssh_print_last_log
false to disable display of last login information
ssh_print_last_log: false # sshd
ssh_banner
false to disable serving /etc/ssh/banner.txt before authentication is allowed
ssh_banner: false # sshd
ssh_print_debian_banner
false to disable distribution version leakage during initial protocol handshake
ssh_print_debian_banner: false # sshd (Debian OS family only)
ssh_sftp_enabled
true to enable sftp configuration
ssh_sftp_enabled: '{{ sftp_enabled | default(false) }}'
ssh_sftp_chroot
false to disable sftp chroot
ssh_sftp_chroot: '{{ sftp_chroot | default(true) }}'
ssh_sftp_chroot_dir
change default sftp chroot location
ssh_sftp_chroot_dir: "{{ sftp_chroot_dir | default('/home/%u') }}"
If true, password login for SFTP is allowed
ssh_server_sftp_password_login: false
ssh_server_sftp_password_login: true
ssh_client_roaming
enable experimental client roaming
ssh_client_roaming: false
ssh_server_match_user
list of hashes (containing user and rules) to generate Match User blocks for.
ssh_server_match_user: false # sshd
ssh_server_match_group
list of hashes (containing group and rules) to generate Match Group blocks for.
ssh_server_match_group: false # sshd
ssh_server_match_address
list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
ssh_server_match_address: false # sshd
ssh_server_permit_environment_vars
ssh_server_permit_environment_vars: false
ssh_max_startups
maximum number of concurrent unauthenticated connections to the SSH daemon
ssh_max_startups: '10:30:100' # sshd
ssh_ps53
ssh_ps53: 'yes'
ssh_ps59
ssh_ps59: 'sandbox'
ssh_macs
ssh_macs: []
ssh_ciphers
ssh_ciphers: []
ssh_kex
ssh_kex: []
ssh_macs_53_default
ssh_macs_53_default:
- hmac-ripemd160
- hmac-sha1
ssh_macs_59_default
ssh_macs_59_default:
- hmac-sha2-512
- hmac-sha2-256
- hmac-ripemd160
ssh_macs_66_default
ssh_macs_66_default:
- [email protected]
- [email protected]
- [email protected]
- hmac-sha2-512
- hmac-sha2-256
ssh_macs_76_default
ssh_macs_76_default:
- [email protected]
- [email protected]
- [email protected]
- hmac-sha2-512
- hmac-sha2-256
ssh_ciphers_53_default
ssh_ciphers_53_default:
- aes256-ctr
- aes192-ctr
- aes128-ctr
ssh_ciphers_66_default
ssh_ciphers_66_default:
- [email protected]
- [email protected]
- [email protected]
- aes256-ctr
- aes192-ctr
- aes128-ctr
ssh_kex_59_default
ssh_kex_59_default:
- diffie-hellman-group-exchange-sha256
ssh_kex_66_default
ssh_kex_66_default:
- [email protected]
- diffie-hellman-group-exchange-sha256
ssh_custom_selinux_dir
directory where to store ssh_password policy
ssh_custom_selinux_dir: '/etc/selinux/local-policies'
sshd_moduli_file: '/etc/ssh/moduli'
sshd_moduli_minimum: 2048
ssh_challengeresponseauthentication
disable ChallengeResponseAuthentication
ssh_challengeresponseauthentication: false
ssh_server_revoked_keys
a list of public keys that are never accepted by the ssh server
ssh_server_revoked_keys: []
ssh_hardening_enabled
Set to false to turn the role into a no-op. Useful when using the Ansible role dependency mechanism.
ssh_hardening_enabled: true
ssh_custom_options
Custom options for SSH client configuration file
ssh_custom_options: []
sshd_custom_options
Custom options for SSH daemon configuration file
sshd_custom_options: []
Dependencies
None
Example Playbook
- hosts: all
roles:
- skriptfabrik.sshd
Author
License
This project is under the MIT License.
Copyright
(c) 2022, skriptfabrik GmbH
This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the DevSec SSH Baseline.
ansible-galaxy install skriptfabrik/ansible-role-sshd